Jetty - ipaccess per connector? - ssl

Let's say I am enabling the ipaccess module on jetty:
jetty-ipaccess.xml
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd">
<!-- =============================================================== -->
<!-- The IP Access Handler -->
<!-- =============================================================== -->
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<Call name="insertHandler">
<Arg>
<New id="IPAccessHandler" class="org.eclipse.jetty.server.handler.IPAccessHandler">
<Set name="white">
<Array type="String">
<Item>127.0.0.1</Item>
<Item>192.168.1.168</Item>
</Array>
</Set>
<Set name="whiteListByPath">false</Set>
</New>
</Arg>
</Call>
</Configure>
Then I enable it with jetty/home/start.jar --add-to-start=ipaccess
But I want this filter to only apply to the http connector. I do not want it to apply to my https connector.
How do I configure it so that it only affects the http module, not the https module?
NOTE: In Jetty 10 this ipaccess module is replaced with another module:
https://github.com/eclipse/jetty.project/commit/3a4da94e1a69ee4c9cd3c936f50d58ee3440188e

The answer is this is not yet possible because assigning an IPAccessHandler or InetAccessHandler is only possible when you use the programmatic version of jetty. Not when you are starting it with start.jar.
So I created issue: https://github.com/eclipse/jetty.project/issues/3562
I created a PR to fix this: https://github.com/eclipse/jetty.project/pull/3572
And gregw#github took it and extended upon it here https://github.com/eclipse/jetty.project/pull/3576
Once this is in a 9.4.x release I'll be all set.

Related

What is the difference between confidentialPort and securePort for Jetty

I am trying to enable Jetty's https port. Jetty is running inside a a Karaf server.
There are different suggested configs found online though:
A version from https://karaf.apache.org/manual/latest/
<!-- Use this connector for many frequently idle connections and for
threadless continuations. -->
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
<Set name="host">
<Property name="jetty.host" />
</Set>
<Set name="port">
<Property name="jetty.port" default="8181" />
</Set>
<Set name="maxIdleTime">300000</Set>
<Set name="Acceptors">2</Set>
<Set name="statsOn">false</Set>
<Set name="confidentialPort">8443</Set>
<Set name="lowResourcesConnections">20000</Set>
<Set name="lowResourcesMaxIdleTime">5000</Set>
</New>
</Arg>
</Call>
Another version from https://www.eclipse.org/jetty/documentation/9.1.5.v20140505/configuring-connectors.html
<New id="tlsHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
<Arg>
<New id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
<Set name="secureScheme">https</Set>
<Set name="securePort">
<Property name="jetty.tls.port" default="8443"/>
</Set>
<Set name="outputBufferSize">32768</Set>
<Set name="requestHeaderSize">8192</Set>
<Set name="responseHeaderSize">8192</Set>
<!-- Uncomment to enable handling of X-Forwarded- style headers
<Call name="addCustomizer">
<Arg><New class="org.eclipse.jetty.server.ForwardedRequestCustomizer"/></Arg>
</Call>
-->
</New>
</Arg>
<Call name="addCustomizer">
<Arg>
<New class="org.eclipse.jetty.server.SecureRequestCustomizer"/>
</Arg>
</Call>
I am not getting any of the two approaches to work. Do you have any hints on how to debug this issue and which aproach is actually correct?
For stable (not-EOL) versions of Jetty, such as Jetty 9.4.x ...
The HttpConfiguration.securePort (a configuration present on a ServerConnector) is the logical port that identifies the secure port seen publicly to your clients.
Take this use case.
Browser on Public Internet, requests https://acme.com/foo
Browser looks up DNS for acme.com and gets 210.1.1.1
Browser connects to 210.1.1.1 on port 443
Load Balancer / Proxy is listening on 210.1.1.1:443 and accepts the request.
Load Balancer adds Forwarding header and connects to internal IP 10.2.2.2:8443
Jetty server listening on 10.2.2.2:8443 accepts the connect and processes the request.
At this point, the configuration on the Jetty server has a ServerConnector on port 8443, which has a HttpConfiguration.securePort which is value 443, as that's the public port that the browser sees.

How to set custom REST port for apache ignite when ignite is started as a service in Opendaylight apache karaf?

Opendaylight uses port 8080 which is the same as the default ignite REST http port. So i tried to change the port on which ignite listens for REST requests. Here is a java code snippet for this.
System.setProperty("IGNITE_JETTY_PORT","7111");
System.setProperty("IGNITE_JETTY_HOST","localhost");
ignite = Ignition.start(config);
The above works fine and changes the ignite REST port when i run in eclipse. But fails when i start an ignite instance in apache karaf.
I think you may try with the configuration xml file of ignite
<property name="ConnectorConfiguration.jettyPath" value="config/ignite-rest.xml"/>
and in the ignite-rest.xml it like:
<?xml version="1.0"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd">
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<Arg name="threadPool">
<!-- Default queued blocking thread pool -->
<New class="org.eclipse.jetty.util.thread.QueuedThreadPool">
<Set name="minThreads">20</Set>
<Set name="maxThreads">200</Set>
</New>
</Arg>
<New id="httpCfg" class="org.eclipse.jetty.server.HttpConfiguration">
<Set name="secureScheme">https</Set>
<Set name="securePort">8443</Set>
<Set name="sendServerVersion">true</Set>
<Set name="sendDateHeader">true</Set>
</New>
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ServerConnector">
<Arg name="server"><Ref refid="Server"/></Arg>
<Arg>
<Array type="org.eclipse.jetty.server.ConnectionFactory">
<Item>
<New class="org.eclipse.jetty.server.HttpConnectionFactory">
<Ref refid="httpCfg"/>
</New>
</Item>
</Array>
</Arg>
<!--
Note that in order to override local host and port values,
system properties must have names IGNITE_JETTY_HOST and
IGNITE_JETTY_PORT accordingly.
-->
<Set name="host"><SystemProperty name="IGNITE_JETTY_HOST" default="localhost"/></Set>
<Set name="port"><SystemProperty name="IGNITE_JETTY_PORT" default="9090"/></Set>
<Set name="idleTimeout">30000</Set>
<Set name="reuseAddress">true</Set>
</New>
</Arg>
</Call>
<Set name="handler">
<New id="Handlers" class="org.eclipse.jetty.server.handler.HandlerCollection">
<Set name="handlers">
<Array type="org.eclipse.jetty.server.Handler">
<Item>
<New id="Contexts" class="org.eclipse.jetty.server.handler.ContextHandlerCollection"/>
</Item>
</Array>
</Set>
</New>
</Set>
<Set name="stopAtShutdown">false</Set>
</Configure>
You could change the port in the configuration file as you like,
and then start your ignite like:
ignite = Ignition.start(igniteConfigPath);
You can change OpenDaylight's NB REST port if that would help. See the example provided by upstream configuration management tooling like puppet-opendaylight (docs, config logic).

How to enable SSL in Grails application using Jetty Plugin

I am trying to enable SSL for my application which uses Jetty plugin.
I have followed https://wiki.eclipse.org/Jetty/Howto/Configure_SSL and created my key and certificate using JAVA keytool, But no luck so far.
Please help me in running my application using https locally or provide me some good reference to achieve my goal.
I have created a custom configuration
as shown below
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
<Arg>
<New class="org.eclipse.jetty.http.ssl.SslContextFactory">
<Set name="keyStore">/keystore-ssl.jks</Set>
<Set name="keyStorePassword">password</Set>
<Set name="validateCerts">false</Set>
</New>
</Arg>
<Set name="port">8443</Set>
<Set name="maxIdleTime">30000</Set>
</New>
</Arg>
</Call>
</Configure>
and i am getting error
oejx.XmlConfiguration:main: Config error at <Call name="addConnector"><Arg>|
java.lang.ClassNotFoundException: org.eclipse.jetty.server.ssl.SslSelectChannelConnector
at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
at org.eclipse.jetty.util.Loader.loadClass(Loader.java:86)
This helped me in achieving my goal.
https://www.blackpepper.co.uk/blog/jetty-runner-https-xml-configuration
Just need to put the required xml content into jetty-server.xml

Apache Solr - Unable to access admin page

On mac snow leopard, I have installed Apache Solr 4.2.0 using brew and triggered the server using the below commands,
Usage: $ solr path/to/config/dir
When I try to access the admin page in browser using below link and the page with SolrCore Initialization failure occurs as below,
http://localhost:8983/solr/admin
collection1: org.apache.solr.common.SolrException:org.apache.solr.common.SolrException: Could not load config for solrconfig.xml
The page also has message,
There are no SolrCores running.
Using the Solr Admin UI currently requires at least one SolrCore.
Any help regarding this is greatly appreciated.
In the root for the Solr config directory, there is a file called solr.xml. This file configures Solr cores. The file might contain:
<cores adminPath="/admin/cores" host="${host:}" hostPort="${jetty.port:}" hostContext="${hostContext:}" zkClientTimeout="${zkClientTimeout:15000}">
<core default="true" name="auction" instanceDir="auctionConfigDir" />
</cores>
The important point is to match instanceDir="auctionConfigDir" with the actual path/to/config/dir. If Solr can't find the location of you configuration files, it wont be able to start a core.
sudo vim /opt/solr-4.8.1/example/etc/jetty.xml
change
<!-- This connector is currently being used for Solr because it
showed better performance than nio.SelectChannelConnector
for typical Solr requests. -->
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.bio.SocketConnector">
<Set name="host">127.0.0.1</Set>
<Set name="port"><SystemProperty name="jetty.port" default="8983"/></Set>
<Set name="maxIdleTime">50000</Set>
<Set name="lowResourceMaxIdleTime">1500</Set>
<Set name="statsOn">false</Set>
</New>
</Arg>
</Call>
to
<!-- This connector is currently being used for Solr because it
showed better performance than nio.SelectChannelConnector
for typical Solr requests. -->
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.bio.SocketConnector">
<Set name="host">0.0.0.0</Set>
<Set name="port"><SystemProperty name="jetty.port" default="8983"/></Set>
<Set name="maxIdleTime">50000</Set>
<Set name="lowResourceMaxIdleTime">1500</Set>
<Set name="statsOn">false</Set>
</New>
</Arg>
</Call>
then
sudo service solrd restart

Configuring DataSources with IDEA IntelliJ Jetty Plugin (jetty-env.xml)

I'm trying to getting started with the IDEA IntelliJ Jetty Plugin. In our application we use a JNDI DataSource to access the actual database.
For development therefore we generate a jetty-env.xml and include this in the WEB-INF directory during development deploys:
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://jetty.mortbay.org/configure.dtd">
<Configure class="org.mortbay.jetty.webapp.WebAppContext">
<!-- Add an JNDI resource -->
<New class="org.mortbay.jetty.plus.naming.Resource">
<Arg>datasource_pbv</Arg>
<Arg>
<New class="org.apache.commons.dbcp.BasicDataSource">
<Set name="DriverClassName">oracle.jdbc.driver.OracleDriver</Set>
<Set name="Url">jdbc:oracle:thin:#dbserver:1521:DATABASE</Set>
<Set name="Username">user</Set>
<Set name="Password">pass</Set>
</New>
</Arg>
</New>
</Configure>
I reconfigured the Jetty WebAppDeployer in jetty.xml that way, so it uses the org.mortbay.jetty.plus.webapp.EnvConfiguration which reads and processes the jetty-env.xml:
<Configure id="Server" class="org.mortbay.jetty.Server">
...
<Array id="plusConfig" type="java.lang.String">
<Item>org.mortbay.jetty.webapp.WebInfConfiguration</Item>
<Item>org.mortbay.jetty.plus.webapp.EnvConfiguration</Item>
<Item>org.mortbay.jetty.plus.webapp.Configuration</Item>
<Item>org.mortbay.jetty.webapp.JettyWebXmlConfiguration</Item>
<Item>org.mortbay.jetty.webapp.TagLibConfiguration</Item>
</Array>
...
<Call name="addLifeCycle">
<Arg>
<New class="org.mortbay.jetty.deployer.WebAppDeployer">
...
<Set name="configurationClasses"><Ref id="plusConfig"/></Set>
</New>
</Arg>
</Call>
...
</Configure>
Unfortunately this doesn't work with the IDEA Jetty plugin. The IDEA Jetty Plugin generates a context-config.xml and a subsequent war-exploded.xml which does not add the EnvConfiguration. Therefore the jetty-env.xml is ignored when deploying with the Jetty IDEA Plugin.
How can I make this work or are the other ways to provide custom JNDI entries when deploying using the IDEA Jetty Plugin?
I haven't checked myself, but since IDEA Jetty integration relies on ContextDeployer, the following should work (if added to jetty.xml):
<Call name="addLifeCycle">
<Arg>
<New class="org.mortbay.jetty.deployer.ContextDeployer">
...
<Set name="configurationClasses"><Ref id="plusConfig"/></Set>
</New>
</Arg>
</Call>